ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MiMo Voice Assistant

v1.0.8

End-to-end voice solution for OpenClaw agents. Xiaomi MiMo-V2-TTS with emotion-aware speech generation, MiMo-V2-Omni for voice transcription. Multi-platform...

0· 64·0 current·0 all-time
byLittle Moon@nciae-zyh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (MiMo TTS/STT + emotion) matches the code and declared requirements: node and ffmpeg for audio conversion, and a single MIMO_API_KEY for the Xiaomi API.
Instruction Scope
SKILL.md instructs installing dependencies, running a local proxy, and wiring OpenClaw to localhost. It explicitly warns that audio/text are sent to api.xiaomimimo.com. Minor scope note: examples show optional env vars (MIMO_TTS_PORT, MIMO_TTS_VOICE, MIMO_API_BASE) and systemd/launchd examples that embed the API key inline — these are operational/security notes but not incoherent with purpose.
Install Mechanism
No remote downloads or obscure install hosts; code is bundled and built via npm install locally (package.json depends only on fluent-ffmpeg). This is low-risk compared with arbitrary URL downloads.
Credentials
Only MIMO_API_KEY is required, which is proportional. The code also reads optional env vars (MIMO_TTS_PORT, MIMO_TTS_VOICE, MIMO_API_BASE) that are reasonable. Operational examples show storing API keys in service files — a security practice concern but not a mismatch with the skill's purpose.
Persistence & Privilege
Skill is user-invocable and not forced-always; it does not request elevated system privileges or modify other skills. Service examples suggest running as a systemd/launchd service, which is normal for a long-running local proxy.
Assessment
This skill appears internally consistent, but review these practical safety points before installing: 1) The proxy sends text and base64 audio to Xiaomi's api.xiaomimimo.com — verify you trust that service and its privacy terms. 2) Keep your MIMO_API_KEY secret: prefer a secure secret store over embedding it directly in systemd/launchd/service files, and rotate keys if possible. 3) The proxy binds to 127.0.0.1 only, which limits exposure, but any local web app or compromised process that can call localhost could trigger requests — consider running the proxy in a container or restricted account if you need extra isolation. 4) The server accepts an Authorization Bearer header to override the env key; only allow local callers you control. 5) Verify you have a compatible Node version (Node 18+ for global fetch) and ffmpeg if you need mp3/opus output. If you want, I can list the exact lines to change to harden the service (disable header key override, tighten temp file handling, or force secure storage of the API key).
mimo-tts-proxy/src/server.mjs:20
Environment variable access combined with network send.
mimo-tts-proxy/src/stt.mjs:14
Environment variable access combined with network send.
!
mimo-tts-proxy/src/server.mjs:16
File read combined with network send (possible exfiltration).
!
mimo-tts-proxy/src/stt.mjs:12
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976tbqjv0znr086627we0ffd1842qpd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, ffmpeg
EnvMIMO_API_KEY

Comments